feat: add OpenAI Codex OAuth plugin (layer 1)

Implements built-in OAuth authentication for ChatGPT Plus/Pro subscribers
to use OpenAI models via their existing subscription.

Features:
- PKCE OAuth flow with OpenAI's auth endpoints
- Local callback server on port 1455
- Cross-platform browser launching
- Automatic token refresh
- Integrated as default plugin in opencode

Based on: https://github.com/numman-ali/opencode-openai-codex-auth

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: brettheap

bun.lock

@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Authentication Successful - OpenCode</title>
+  <style>
+    * {
+      margin: 0;
+      padding: 0;
+      box-sizing: border-box;
+    }
+
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;
+      background: linear-gradient(135deg, #10a37f 0%, #1a7f64 100%);
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      color: white;
+    }
+
+    .container {
+      text-align: center;
+      padding: 2rem;
+      max-width: 500px;
+    }
+
+    .icon {
+      width: 80px;
+      height: 80px;
+      margin: 0 auto 1.5rem;
+      background: rgba(255, 255, 255, 0.2);
+      border-radius: 50%;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      animation: pulse 2s ease-in-out infinite;
+    }
+
+    .icon svg {
+      width: 40px;
+      height: 40px;
+    }
+
+    @keyframes pulse {
+      0%, 100% {
+        transform: scale(1);
+        opacity: 1;
+      }
+      50% {
+        transform: scale(1.05);
+        opacity: 0.9;
+      }
+    }
+
+    h1 {
+      font-size: 2rem;
+      font-weight: 600;
+      margin-bottom: 1rem;
+    }
+
+    p {
+      font-size: 1.1rem;
+      opacity: 0.9;
+      line-height: 1.6;
+      margin-bottom: 1.5rem;
+    }
+
+    .hint {
+      font-size: 0.9rem;
+      opacity: 0.7;
+      background: rgba(255, 255, 255, 0.1);
+      padding: 0.75rem 1.5rem;
+      border-radius: 8px;
+      display: inline-block;
+    }
+
+    .brand {
+      margin-top: 3rem;
+      opacity: 0.6;
+      font-size: 0.85rem;
+    }
+
+    .brand strong {
+      font-weight: 600;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+        <polyline points="20 6 9 17 4 12"></polyline>
+      </svg>
+    </div>
+
+    <h1>Authentication Successful!</h1>
+
+    <p>
+      You've successfully connected your ChatGPT account to OpenCode.
+      You can now use OpenAI models with your subscription.
+    </p>
+
+    <div class="hint">
+      You can close this window and return to your terminal.
+    </div>
+
+    <div class="brand">
+      Powered by <strong>OpenCode</strong>
+    </div>
+  </div>
+
+  <script>
+    // Auto-close after 5 seconds
+    setTimeout(() => {
+      window.close();
+    }, 5000);
+  </script>
+</body>
+</html>

packages/openai-codex-auth/assets/oauth-success.html

@@ -0,0 +1,30 @@
+{
+  "$schema": "https://json.schemastore.org/package.json",
+  "name": "@opencode-ai/openai-codex-auth",
+  "version": "1.0.0",
+  "type": "module",
+  "scripts": {
+    "typecheck": "tsgo --noEmit",
+    "build": "tsc"
+  },
+  "exports": {
+    ".": "./src/index.ts"
+  },
+  "files": [
+    "dist",
+    "assets"
+  ],
+  "dependencies": {
+    "@openauthjs/openauth": "^0.4.3",
+    "hono": "^4.10.4"
+  },
+  "peerDependencies": {
+    "@opencode-ai/plugin": "workspace:*"
+  },
+  "devDependencies": {
+    "@tsconfig/node22": "catalog:",
+    "@types/node": "catalog:",
+    "typescript": "catalog:",
+    "@typescript/native-preview": "catalog:"
+  }
+}

packages/openai-codex-auth/package.json

@@ -0,0 +1,178 @@
+/**
+ * Core OAuth implementation with PKCE
+ */
+
+import { randomBytes, createHash } from "crypto"
+import { OAUTH_CONFIG } from "../constants"
+import type { PKCEChallenge, OAuthTokenResponse, OAuthError, AuthCallbackResult } from "../types"
+import { openBrowser } from "./browser"
+import { startCallbackServer } from "./server"
+
+/**
+ * Generate a cryptographically secure random string
+ */
+function generateRandomString(length: number): string {
+  return randomBytes(length).toString("base64url").slice(0, length)
+}
+
+/**
+ * Create a SHA256 hash and return as base64url
+ */
+function sha256(input: string): string {
+  return createHash("sha256").update(input).digest("base64url")
+}
+
+/**
+ * Generate PKCE challenge (code_verifier and code_challenge)
+ */
+export function createPKCEChallenge(): PKCEChallenge {
+  // Generate a random 43-128 character code verifier
+  const codeVerifier = generateRandomString(64)
+  // Create the code challenge using S256 method
+  const codeChallenge = sha256(codeVerifier)
+  // Generate state for CSRF protection
+  const state = generateRandomString(32)
+
+  return {
+    codeVerifier,
+    codeChallenge,
+    state,
+  }
+}
+
+/**
+ * Build the authorization URL with PKCE parameters
+ */
+export function buildAuthorizationUrl(pkce: PKCEChallenge): string {
+  const params = new URLSearchParams({
+    client_id: OAUTH_CONFIG.clientId,
+    redirect_uri: OAUTH_CONFIG.redirectUri,
+    response_type: "code",
+    scope: OAUTH_CONFIG.scopes.join(" "),
+    state: pkce.state,
+    code_challenge: pkce.codeChallenge,
+    code_challenge_method: "S256",
+    audience: OAUTH_CONFIG.audience,
+  })
+
+  return `${OAUTH_CONFIG.authorizationUrl}?${params.toString()}`
+}
+
+/**
+ * Exchange authorization code for tokens
+ */
+export async function exchangeCodeForTokens(
+  code: string,
+  codeVerifier: string
+): Promise<OAuthTokenResponse> {
+  const response = await fetch(OAUTH_CONFIG.tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: OAUTH_CONFIG.clientId,
+      code,
+      redirect_uri: OAUTH_CONFIG.redirectUri,
+      code_verifier: codeVerifier,
+    }),
+  })
+
+  if (!response.ok) {
+    const error = (await response.json()) as OAuthError
+    throw new Error(`Token exchange failed: ${error.error_description || error.error}`)
+  }
+
+  return response.json() as Promise<OAuthTokenResponse>
+}
+
+/**
+ * Refresh an access token using the refresh token
+ */
+export async function refreshAccessToken(refreshToken: string): Promise<OAuthTokenResponse> {
+  const response = await fetch(OAUTH_CONFIG.tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      client_id: OAUTH_CONFIG.clientId,
+      refresh_token: refreshToken,
+    }),
+  })
+
+  if (!response.ok) {
+    const error = (await response.json()) as OAuthError
+    throw new Error(`Token refresh failed: ${error.error_description || error.error}`)
+  }
+
+  return response.json() as Promise<OAuthTokenResponse>
+}
+
+/**
+ * Decode a JWT token to extract claims (without verification)
+ */
+export function decodeJWT(token: string): Record<string, unknown> {
+  try {
+    const parts = token.split(".")
+    if (parts.length !== 3) {
+      return {}
+    }
+    const payload = Buffer.from(parts[1], "base64url").toString("utf-8")
+    return JSON.parse(payload)
+  } catch {
+    return {}
+  }
+}
+
+/**
+ * Perform the complete OAuth flow
+ * Returns authorization URL and callback handler
+ */
+export async function initiateOAuthFlow(): Promise<{
+  url: string
+  instructions: string
+  method: "auto"
+  callback: () => Promise<AuthCallbackResult>
+}> {
+  const pkce = createPKCEChallenge()
+  const authUrl = buildAuthorizationUrl(pkce)
+
+  // Start the callback server before returning
+  const callbackPromise = startCallbackServer(pkce.state)
+
+  return {
+    url: authUrl,
+    instructions: "Complete the authentication in your browser. You will be redirected back automatically.",
+    method: "auto" as const,
+    callback: async (): Promise<AuthCallbackResult> => {
+      try {
+        // Open browser
+        await openBrowser(authUrl)
+
+        // Wait for callback
+        const result = await callbackPromise
+
+        // Exchange code for tokens
+        const tokens = await exchangeCodeForTokens(result.code, pkce.codeVerifier)
+
+        // Calculate expiry time
+        const expiresAt = Date.now() + tokens.expires_in * 1000
+
+        return {
+          type: "success",
+          refresh: tokens.refresh_token,
+          access: tokens.access_token,
+          expires: expiresAt,
+        }
+      } catch (error) {
+        return {
+          type: "failed",
+          error: error instanceof Error ? error.message : "Unknown error",
+        }
+      }
+    },
+  }
+}